Lessons From Equifax

Equifax, a major US credit bureau, has experienced a massive data breach. While analysis of the exact causes and the fallout from this breach are still under scrutiny, there are some suppositions and guesses that are, if not definitive on the Equifax side, at least helpful in showing where we can avoid mistakes like this.

Rather than integrate its web infrastructure, Equifax hacked together multiple software systems. Integrating multiple systems rather than using one backbone gives hackers and malicious software more places to sneak in. Leaving out this larger “attack surface” is a bit like playing football without pads; you might be fine, but it’s more likely that something dangerous could happen than if you had protected yourself. On a practical level, this means we should install as little software as we can get away with on a given computer; the less options a potential attacker has, the harder it is to find a vulnerability.

Equifax used several software arrangements which weren’t designed to be secure, instead adding in security measures after the fact. This also isn’t catastrophic, but security and cryptography experts will point out that it’s much more difficult to make after-the-fact security effective. When looking for software that will access, potentially sensitive information, look for software designed with security as a first priority.